CSAA Voice Mail Fraud Losses a Warning to All Businesses

[IMAGE]11983[/IMAGE]VIENNA, Va. — Steve Doyle, CEO and executive vice president of the Central Station Alarm Association (CSAA), has some cautionary advice to share with his electronic security brethren. The telephone voice mail system at your company could be a gateway for a fraudster to hack into and rack up costly international calls.

A hacker who infiltrated CSAA’s voice mail system in December placed overseas calls that amounted to about $300. Doyle considers the association lucky not to have suffered worse losses. He urges the industry’s thousands of installing security contractors to take precautions before they can be victimized as well.

 “I’m not as concerned about the few hundred dollars as I am making sure we’re locked down tight so it doesn’t happen again for thousands of dollars,” he says. “Businesses and trade associations across the United States are being hit much, much harder than we suffered.”

According to the FCC, while voice mail fraud is not a new phenomenon, offenders incessantly plague organizations of all sizes with little difficulty. The hacker will call into a voice mail system to find mailboxes that can be accessed by default passwords or passwords with familiar combinations, such as 1-2-3-4. Upon locating a target mailbox, the hacker can then use the password to access the phone system and place calls.

Here’s how: first the hacker changes the outgoing message on the voice mailbox to “Yes, I will accept the charges” or similar. The hacker then dials a collect call to the number that has been hacked. The operator — sometimes an automated function programmed to act on key words like “yes” — hears the outgoing message and the collect call is connected.

Hackers oftentimes target companies, especially toll-free customer service lines, during holidays and weekends when tampering is more likely to go unnoticed. Similar to CSAA, many victimized organizations don’t learn about the hacking until their phone company calls to report unusual activity or especially high phone bills.

“Fortunately [our service provider] notified us on a Monday morning that it looked like there had been fraud in the system. Somebody was placing calls to Somalia, so they shut it down,” Doyle says. “It was a pain for us because we were out of service for an entire day.”

Businesses with legacy PBX and key phone systems are especially vulnerable, although mailbox attacks on voice over IP (VoIP) systems are becoming more prevalent, says Mark Evans, CEO of BottaBoom Consulting LLC, a national telecom auditing firm based in Tucson, Ariz.

“Many businesses are negligent in getting the proper security they need or taking the necessary safeguards. They continue to have holes in their systems,” he says.

The first line of protection from hacking is to change the phone system’s default passwords that come preset by the vendor. Evans suggests companies should program the voice mail system to automatically prompt employees to change their passwords every 90 days at a minimum, and never use obvious passwords such as an address, birth date or phone number. Unused mailboxes, such as when an employee leaves the company, should be deleted immediately.

“You should also restrict call forwarding and conferencing features if they are not being used, since these functions can assist hackers in forwarding calls on your dime,” Evans says.

Expecting a phone service provider to forgive fraudulent international charges is not a likely scenario. Many service contracts include language that absolves the phone company of responsibility in the event of telecommunications fraud. Small businesses are the most vulnerable.

“Phone companies do a pretty good job of alerting their large customers if they are getting billed for international locations that can be considered out of the ordinary,” Evans says. “But the mom ‘n’ pop shops are the ones that are victimized a lot of the time. They are going to get stuck with a fat bill.”

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author


Although Bosch’s name is quite familiar to those in the security industry, his previous experience has been in daily newspaper journalism. Prior to joining SECURITY SALES & INTEGRATION in 2006, he spent 15 years with the Los Angeles Times, where he performed a wide assortment of editorial responsibilities, including feature and metro department assignments as well as content producing for latimes.com. Bosch is a graduate of California State University, Fresno with a degree in Mass Communication & Journalism. In 2007, he successfully completed the National Burglar and Fire Alarm Association’s National Training School coursework to become a Certified Level I Alarm Technician.

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add sales to your bottom line.

A free subscription to the #1 resource for the residential and commercial security industry will prove to be invaluable. Subscribe today!

Subscribe Today!

Get Our Newsletters